DOCSLIB.ORG

Modern Factoring Algorithms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Modern Factoring Algorithms Modern Factoring Algorithms Kostas Bimpikis and Ragesh Jaiswal University of California, San Diego ... both Gauss and lesser mathematicians may be justified in rejoicing that there is one science [number theory] at any rate, and that their own, whose very remoteness from ordinary human activities should keep it gentle and clean. - G.H. Hardy, A Mathematician’s Apology, 1940 Unfortunately for Hardy, nowadays, number theoretic results form the basis of several applica- tions in the field of cryptography. In this survey, we will present the most recent approaches on solving the factoring problem. In particular, we will study Pollard’s ρ algorithm, the Quadratic and Number Field Sieve and finally, we will give a brief overview on factoring in quantum com- puters. 1. INTRODUCTION The Integer Factorization problem is defined as follows: given a composite integer N, find a non-trivial factor e of N, i.e. find e such that e|N. The most straight- forward method of factoring is√trial division, which, essentially, checks for every prime number√ p, such that p ≤ N, if p|N. However, trial division may take more than O( N) bit operations, which makes it extremely inefficient for the numbers of interest. Before going on with describing the modern ideas for factoring, it would be inter- esting to give some facts about the history of the problem. Integer factorization is one of the oldest problems in mathematics. Many of the techniques used in modern factoring algorithms date back to ancient Greece (eg. the sieve of Eratosthenes, Euclid’s algorithm for finding the gcd). The great mathematicians of the 17th and 18th century (Fermat, Euler Legendre, Gauss, Jacobi), also, contributed with a number of ideas. But the major breakthroughs happened during the last 30 years, especially after the introduction of public key cryptography, and in particular of the RSA cryptosystem. Specifically, it can be shown that if factoring is solved efficiently, then the RSA cryptosystem would become extremely insecure. That is why, RSA Security, the company behind RSA cryptosystem, provides funding for a factoring competition, the so-called RSA challenge. Interestingly enough, the most recent algorithmic improvements in factoring are closely associated with a RSA challenge number. Factoring is also interesting from a complexity theoretic point of view. Its com- plexity status hasn’t been resolved yet. Its decision version (”has N a factor less than M?”) is known to belong to both NP and coNP . However, it is suspected that it isn’t NP -complete or coNP -complete, since otherwise this would imply that NP = coNP , which is a rather surprising result. Moreover, it is known to be in BQP (bounded error quantum polynomial time) because of Shor’s algorithm [Shor, 2 · Modern Factoring Algorithms 1994]. This paper is organized as follows: in section 2 we present Pollard’s ρ algorithm, which was the first major improvement over the naive trial division algorithm. Then, in section 3 we describe the best two algorithms up to date: quadratic sieve and number field sieve. These two algorithms follow the same pattern and that is why we categorize them under the same name: sieve algorithms. In section 4 we present Shor’s algorithm for factoring in quantum computers. Finally, in section 5 we conclude and provide the current status of the factoring problem. 2. POLLARD’S ρ ALGORITHM In 1975 John M. Pollard proposed a very efficient Monte Carlo algorithm for fac- toring, now known as Pollard’s ρ method. The algorithm is substantially faster than trial division for finding a small non-trivial factor of a large integer N, if such exists. 2.1 Basic ideas The basic component of Pollard’s ρ algorithm is a sequence of pseudo-random integers constructed in the following way: x0 = random(0,N − 1) xi = f(xi−1)(mod N), i = 1, 2, ··· where f is a polynomial with integer coefficients, eg. in most practical implemen- tations of the algorithm f(x) = x2 + α, α 6= 0, −2. The intuition behind the algorithm is the following simple observation: suppose that N is the number we would like to factor and d is a non-trivial divisor of it. We further assume that d is small compared to N. Since, there is a smaller number of congruence classes modulo d than modulo N, it is quite probable, that there exist numbers xi and xj, such that: xi ≡ xj mod d and xi 6≡ xj mod N From the above we conclude that d|(xi − xj) and N 6 |(xi − xj), thus, it follows that gcd(xi − xj,N) is a non-trivial divisor of N. Let’s see how we can combine the previous observation with the sequence of integers described above to devise an efficient algorithm to compute a non-trivial factor d of N. First of all, note that, although we don’t know d, we can use the xi’s to get a non-trivial factor of N by simply calculating α = gcd(xi − xj,N) at each step for every xj with j < i. Most of the times α will be equal to 1, but we expect that it won’t take too many steps to find d. The algorithm will become apparent with an example: 2 Let N = 1079 = 13 ∗ 83, f(x) = x − 1 and x0=2. Then the sequence of pseudo-random integers generated by f is the following: 2, 3, 8, 63, 1194, 1186, 177, 814, 996, 310, 396, ··· At each step i of the algorithm we compute gcd(xi − xj,N) for every j < i. In our Modern Factoring Algorithms · 3 case: gcd(x1 − x0,N) = gcd(3 − 2, 1079) = 1 gcd(x2 − x1,N) = gcd(8 − 3, 1079) = 1 gcd(x2 − x0,N) = gcd(8 − 2, 1079) = 1 gcd(x3 − x2,N) = gcd(63 − 8, 1079) = 1 gcd(x3 − x1,N) = gcd(63 − 3, 1079) = 1 gcd(x3 − x0,N) = gcd(63 − 2, 1079) = 1 gcd(x3 − x2,N) = gcd(1194 − 63, 1079) = 13 The algorithm made only 7 calculations to find the divisor 13. 2.2 Improvements Unfortunately, we cannot always guarantee that we will find d in such a small number of steps. Therefore, the cost of computing gcd(xi − xj,N) for every j < i becomes prohibitive as i increases. There are a few ways we could improve the algorithm: —Pollard proposed using Floyd’s cycle-finding algorithm to reduce the number of steps before two integers are found, such that xi ≡ xj (mod d). To be more specific, the improved algorithm computes the following gcd’s only: gcd(x2i − xi,N) i = 1, 2, ··· To see why this works, suppose that xi ≡ xj (mod d). Then, it is easy to see that xi+1 ≡ xj+1 mod d, since xi+1 = f(xi) and xj+1 = f(xj). We can extend this fact to every xi+k ≡ xj+k (mod d) (k=1, 2, ··· ), so eventually there will be an i, such that x2i = xi mod d. So, we conclude that it suffices to compute for every i only one gcd (gcd(x2i − xi,N)) instead of i − 1. Also, note that we can exploit the following fact, in order to compute x2i, without using the values xi+1, xi+2, ··· , x2i−1: y0 = x0 y1 = x2 = f(x1) = f(f(x0)) = f(f(y0)) y2 = x4 = f(x3) = f(f(x2)) = f(f(y1)) . yi = x2i = f(x2i−1) = f(f(x2i−2)) = f(f(yi−1)) So, this allows us to compute x2i by storing only a single value, namely yi−1. —Another useful trick is instead of performing a gcd operation at every single step, to construct big products and perform a single gcd operation every, say, n steps. In other words, instead of computing gcd(x2i − xi,N) for every i, we perform one gcd computation every n steps (gcd(Qn,N) by setting Qn = n Πi=1(x2i − xi)(mod N). It is easy to see that if gcd(x2i − xi,N) = d > 1, then also gcd(Qn,N) > 1. —Brent proposed a slight modification to Pollard’s ρ algorithm. Specifically, in- stead of computing gcd(x2i − xi,N) he considers a different set of differences. This modification reduces the running time by 1/4. 4 · Modern Factoring Algorithms 2.3 Running time analysis Suppose that p is a prime divisor of N. Then, we will show that it takes Pollard’s algorithm an expected number of O(p(p)) iterations to find p. In order to prove this statement we will use the birthday paradox (see appendix in [Bellare et al., 2004]). First of all, we assume that the numbers generated by f have a ”random” be- havior, i.e. are independently chosen from {0, 1, ··· , p − 1}, which is essential for the birthday paradox to apply in our setting. Suppose that we have the first k numbers of the sequence in hand x1, x2, ··· , xk. Then, according to the birthday paradox, the probability that all these k numbers are distinct (mod p) is equal to the following: 1 2 k − 1 −k2 (1 − )(1 − ) ··· (1 − ) ≈ exp( ) p p p 2p √ From the above we conclude that if k = O( p), then the probability of finding √ the values x2i, xi we are looking for is high. So, we conclude that after O( p) we expect to find p. Each iteration consists of computing xi, x2i = yi and gcd(x2i − xi,N), so we need 3 modular multiplications, 4 modular additions (subtractions are counted as additions) and one gcd operation per iteration. This gives us a running time of 2 O(|N| ) per iteration.
Load more

Recommended publications
  • Fast Tabulation of Challenge Pseudoprimes Andrew Shallue and Jonathan Webster
    THE OPEN BOOK SERIES 2 ANTS XIII Proceedings of the Thirteenth Algorithmic Number Theory Symposium Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster msp THE OPEN BOOK SERIES 2 (2019) Thirteenth Algorithmic Number Theory Symposium msp dx.doi.org/10.2140/obs.2019.2.411 Fast tabulation of challenge pseudoprimes Andrew Shallue and Jonathan Webster We provide a new algorithm for tabulating composite numbers which are pseudoprimes to both a Fermat test and a Lucas test. Our algorithm is optimized for parameter choices that minimize the occurrence of pseudoprimes, and for pseudoprimes with a fixed number of prime factors. Using this, we have confirmed that there are no PSW-challenge pseudoprimes with two or three prime factors up to 280. In the case where one is tabulating challenge pseudoprimes with a fixed number of prime factors, we prove our algorithm gives an unconditional asymptotic improvement over previous methods. 1. Introduction Pomerance, Selfridge, and Wagstaff famously offered $620 for a composite n that satisfies (1) 2n 1 1 .mod n/ so n is a base-2 Fermat pseudoprime, Á (2) .5 n/ 1 so n is not a square modulo 5, and j D (3) Fn 1 0 .mod n/ so n is a Fibonacci pseudoprime, C Á or to prove that no such n exists. We call composites that satisfy these conditions PSW-challenge pseudo- primes. In[PSW80] they credit R. Baillie with the discovery that combining a Fermat test with a Lucas test (with a certain specific parameter choice) makes for an especially effective primality test[BW80].
    [Show full text]
  • On Fixed Points of Iterations Between the Order of Appearance and the Euler Totient Function
    mathematics Article On Fixed Points of Iterations Between the Order of Appearance and the Euler Totient Function ŠtˇepánHubálovský 1,* and Eva Trojovská 2 1 Department of Applied Cybernetics, Faculty of Science, University of Hradec Králové, 50003 Hradec Králové, Czech Republic 2 Department of Mathematics, Faculty of Science, University of Hradec Králové, 50003 Hradec Králové, Czech Republic; [email protected] * Correspondence: [email protected] or [email protected]; Tel.: +420-49-333-2704 Received: 3 October 2020; Accepted: 14 October 2020; Published: 16 October 2020 Abstract: Let Fn be the nth Fibonacci number. The order of appearance z(n) of a natural number n is defined as the smallest positive integer k such that Fk ≡ 0 (mod n). In this paper, we shall find all positive solutions of the Diophantine equation z(j(n)) = n, where j is the Euler totient function. Keywords: Fibonacci numbers; order of appearance; Euler totient function; fixed points; Diophantine equations MSC: 11B39; 11DXX 1. Introduction Let (Fn)n≥0 be the sequence of Fibonacci numbers which is defined by 2nd order recurrence Fn+2 = Fn+1 + Fn, with initial conditions Fi = i, for i 2 f0, 1g. These numbers (together with the sequence of prime numbers) form a very important sequence in mathematics (mainly because its unexpectedly and often appearance in many branches of mathematics as well as in another disciplines). We refer the reader to [1–3] and their very extensive bibliography. We recall that an arithmetic function is any function f : Z>0 ! C (i.e., a complex-valued function which is defined for all positive integer).
    [Show full text]
  • Lecture 3: Chinese Remainder Theorem 25/07/08 to Further
    Department of Mathematics MATHS 714 Number Theory: Lecture 3: Chinese Remainder Theorem 25/07/08 To further reduce the amount of computations in solving congruences it is important to realise that if m = m1m2 ...ms where the mi are pairwise coprime, then a ≡ b (mod m) if and only if a ≡ b (mod mi) for every i, 1 ≤ i ≤ s. This leads to the question of simultaneous solution of a system of congruences. Theorem 1 (Chinese Remainder Theorem). Let m1,m2,...,ms be pairwise coprime integers ≥ 2, and b1, b2,...,bs arbitrary integers. Then, the s congruences x ≡ bi (mod mi) have a simultaneous solution that is unique modulo m = m1m2 ...ms. Proof. Let ni = m/mi; note that (mi, ni) = 1. Every ni has an inversen ¯i mod mi (lecture 2). We show that x0 = P1≤j≤s nj n¯j bj is a solution of our system of s congruences. Since mi divides each nj except for ni, we have x0 = P1≤j≤s njn¯j bj ≡ nin¯ibj (mod mi) ≡ bi (mod mi). Uniqueness: If x is any solution of the system, then x − x0 ≡ 0 (mod mi) for all i. This implies that m|(x − x0) i.e. x ≡ x0 (mod m). Exercise 1. Find all solutions of the system 4x ≡ 2 (mod 6), 3x ≡ 5 (mod 7), 2x ≡ 4 (mod 11). Exercise 2. Using the Chinese Remainder Theorem (CRT), solve 3x ≡ 11 (mod 2275). Systems of linear congruences in one variable can often be solved efficiently by combining inspection (I) and Euclid’s algorithm (EA) with the Chinese Remainder Theorem (CRT).
    [Show full text]
  • Primality Testing and Integer Factorisation
    Primality Testing and Integer Factorisation Richard P. Brent, FAA Computer Sciences Laboratory Australian National University Canberra, ACT 2601 Abstract The problem of finding the prime factors of large composite numbers has always been of mathematical interest. With the advent of public key cryptosystems it is also of practical importance, because the security of some of these cryptosystems, such as the Rivest-Shamir-Adelman (RSA) system, depends on the difficulty of factoring the public keys. In recent years the best known integer factorisation algorithms have improved greatly, to the point where it is now easy to factor a 60-decimal digit number, and possible to factor numbers larger than 120 decimal digits, given the availability of enough computing power. We describe several recent algorithms for primality testing and factorisation, give examples of their use and outline some applications. 1. Introduction It has been known since Euclid’s time (though first clearly stated and proved by Gauss in 1801) that any natural number N has a unique prime power decomposition α1 α2 αk N = p1 p2 ··· pk (1.1) αj (p1 < p2 < ··· < pk rational primes, αj > 0). The prime powers pj are called αj components of N, and we write pj kN. To compute the prime power decomposition we need – 1. An algorithm to test if an integer N is prime. 2. An algorithm to find a nontrivial factor f of a composite integer N. Given these there is a simple recursive algorithm to compute (1.1): if N is prime then stop, otherwise 1. find a nontrivial factor f of N; 2.
    [Show full text]
  • Computing Prime Divisors in an Interval
    MATHEMATICS OF COMPUTATION Volume 84, Number 291, January 2015, Pages 339–354 S 0025-5718(2014)02840-8 Article electronically published on May 28, 2014 COMPUTING PRIME DIVISORS IN AN INTERVAL MINKYU KIM AND JUNG HEE CHEON Abstract. We address the problem of finding a nontrivial divisor of a com- posite integer when it has a prime divisor in an interval. We show that this problem can be solved in time of the square root of the interval length with a similar amount of storage, by presenting two algorithms; one is probabilistic and the other is its derandomized version. 1. Introduction Integer factorization is one of the most challenging problems in computational number theory. It has been studied for centuries, and it has been intensively in- vestigated after introducing the RSA cryptosystem [18]. The difficulty of integer factorization has been examined not only in pure factoring situations but also in various modified situations. One such approach is to find a nontrivial divisor of a composite integer when it has prime divisors of special form. These include Pol- lard’s p − 1 algorithm [15], Williams’ p + 1 algorithm [20], and others. On the other hand, owing to the importance and the usage of integer factorization in cryptog- raphy, one needs to examine this problem when some partial information about divisors is revealed. This side information might be exposed through the proce- dures of generating prime numbers or through some attacks against crypto devices or protocols. This paper deals with integer factorization given the approximation of divisors, and it is motivated by the above mentioned research.
    [Show full text]
  • Fast Generation of RSA Keys Using Smooth Integers
    1 Fast Generation of RSA Keys using Smooth Integers Vassil Dimitrov, Luigi Vigneri and Vidal Attias Abstract—Primality generation is the cornerstone of several essential cryptographic systems. The problem has been a subject of deep investigations, but there is still a substantial room for improvements. Typically, the algorithms used have two parts – trial divisions aimed at eliminating numbers with small prime factors and primality tests based on an easy-to-compute statement that is valid for primes and invalid for composites. In this paper, we will showcase a technique that will eliminate the first phase of the primality testing algorithms. The computational simulations show a reduction of the primality generation time by about 30% in the case of 1024-bit RSA key pairs. This can be particularly beneficial in the case of decentralized environments for shared RSA keys as the initial trial division part of the key generation algorithms can be avoided at no cost. This also significantly reduces the communication complexity. Another essential contribution of the paper is the introduction of a new one-way function that is computationally simpler than the existing ones used in public-key cryptography. This function can be used to create new random number generators, and it also could be potentially used for designing entirely new public-key encryption systems. Index Terms—Multiple-base Representations, Public-Key Cryptography, Primality Testing, Computational Number Theory, RSA ✦ 1 INTRODUCTION 1.1 Fast generation of prime numbers DDITIVE number theory is a fascinating area of The generation of prime numbers is a cornerstone of A mathematics. In it one can find problems with cryptographic systems such as the RSA cryptosystem.
    [Show full text]
  • The Quadratic Sieve Factoring Algorithm
    The Quadratic Sieve Factoring Algorithm Eric Landquist MATH 488: Cryptographic Algorithms December 14, 2001 1 1 Introduction Mathematicians have been attempting to find better and faster ways to fac- tor composite numbers since the beginning of time. Initially this involved dividing a number by larger and larger primes until you had the factoriza- tion. This trial division was not improved upon until Fermat applied the factorization of the difference of two squares: a2 b2 = (a b)(a + b). In his method, we begin with the number to be factored:− n. We− find the smallest square larger than n, and test to see if the difference is square. If so, then we can apply the trick of factoring the difference of two squares to find the factors of n. If the difference is not a perfect square, then we find the next largest square, and repeat the process. While Fermat's method is much faster than trial division, when it comes to the real world of factoring, for example factoring an RSA modulus several hundred digits long, the purely iterative method of Fermat is too slow. Sev- eral other methods have been presented, such as the Elliptic Curve Method discovered by H. Lenstra in 1987 and a pair of probabilistic methods by Pollard in the mid 70's, the p 1 method and the ρ method. The fastest algorithms, however, utilize the− same trick as Fermat, examples of which are the Continued Fraction Method, the Quadratic Sieve (and it variants), and the Number Field Sieve (and its variants). The exception to this is the El- liptic Curve Method, which runs almost as fast as the Quadratic Sieve.
    [Show full text]
  • Sequences of Primes Obtained by the Method of Concatenation
    SEQUENCES OF PRIMES OBTAINED BY THE METHOD OF CONCATENATION (COLLECTED PAPERS) Copyright 2016 by Marius Coman Education Publishing 1313 Chesapeake Avenue Columbus, Ohio 43212 USA Tel. (614) 485-0721 Peer-Reviewers: Dr. A. A. Salama, Faculty of Science, Port Said University, Egypt. Said Broumi, Univ. of Hassan II Mohammedia, Casablanca, Morocco. Pabitra Kumar Maji, Math Department, K. N. University, WB, India. S. A. Albolwi, King Abdulaziz Univ., Jeddah, Saudi Arabia. Mohamed Eisa, Dept. of Computer Science, Port Said Univ., Egypt. EAN: 9781599734668 ISBN: 978-1-59973-466-8 1 INTRODUCTION The definition of “concatenation” in mathematics is, according to Wikipedia, “the joining of two numbers by their numerals. That is, the concatenation of 69 and 420 is 69420”. Though the method of concatenation is widely considered as a part of so called “recreational mathematics”, in fact this method can often lead to very “serious” results, and even more than that, to really amazing results. This is the purpose of this book: to show that this method, unfairly neglected, can be a powerful tool in number theory. In particular, as revealed by the title, I used the method of concatenation in this book to obtain possible infinite sequences of primes. Part One of this book, “Primes in Smarandache concatenated sequences and Smarandache-Coman sequences”, contains 12 papers on various sequences of primes that are distinguished among the terms of the well known Smarandache concatenated sequences (as, for instance, the prime terms in Smarandache concatenated odd
    [Show full text]
  • Number Theory Course Notes for MA 341, Spring 2018
    Number Theory Course notes for MA 341, Spring 2018 Jared Weinstein May 2, 2018 Contents 1 Basic properties of the integers 3 1.1 Definitions: Z and Q .......................3 1.2 The well-ordering principle . .5 1.3 The division algorithm . .5 1.4 Running times . .6 1.5 The Euclidean algorithm . .8 1.6 The extended Euclidean algorithm . 10 1.7 Exercises due February 2. 11 2 The unique factorization theorem 12 2.1 Factorization into primes . 12 2.2 The proof that prime factorization is unique . 13 2.3 Valuations . 13 2.4 The rational root theorem . 15 2.5 Pythagorean triples . 16 2.6 Exercises due February 9 . 17 3 Congruences 17 3.1 Definition and basic properties . 17 3.2 Solving Linear Congruences . 18 3.3 The Chinese Remainder Theorem . 19 3.4 Modular Exponentiation . 20 3.5 Exercises due February 16 . 21 1 4 Units modulo m: Fermat's theorem and Euler's theorem 22 4.1 Units . 22 4.2 Powers modulo m ......................... 23 4.3 Fermat's theorem . 24 4.4 The φ function . 25 4.5 Euler's theorem . 26 4.6 Exercises due February 23 . 27 5 Orders and primitive elements 27 5.1 Basic properties of the function ordm .............. 27 5.2 Primitive roots . 28 5.3 The discrete logarithm . 30 5.4 Existence of primitive roots for a prime modulus . 30 5.5 Exercises due March 2 . 32 6 Some cryptographic applications 33 6.1 The basic problem of cryptography . 33 6.2 Ciphers, keys, and one-time pads .
    [Show full text]
  • Introduction to Number Theory CS1800 Discrete Math; Notes by Virgil Pavlu; Updated November 5, 2018
    Introduction to Number Theory CS1800 Discrete Math; notes by Virgil Pavlu; updated November 5, 2018 1 modulo arithmetic All numbers here are integers. The integer division of a at n > 1 means finding the unique quotient q and remainder r 2 Zn such that a = nq + r where Zn is the set of all possible remainders at n : Zn = f0; 1; 2; 3; :::; n−1g. \mod n" = remainder at division with n for n > 1 (n it has to be at least 2) \a mod n = r" means mathematically all of the following : · r is the remainder of integer division a to n · a = n ∗ q + r for some integer q · a; r have same remainder when divided by n · a − r = nq is a multiple of n · n j a − r, a.k.a n divides a − r EXAMPLES 21 mod 5 = 1, because 21 = 5*4 +1 same as saying 5 j (21 − 1) 24 = 10 = 3 = -39 mod 7 , because 24 = 7*3 +3; 10=7*1+3; 3=7*0 +3; -39=7*(-6)+3. Same as saying 7 j (24 − 10) or 7 j (3 − 10) or 7 j (10 − (−39)) etc LEMMA two numbers a; b have the same remainder mod n if and only if n divides their difference. We can write this in several equivalent ways: · a mod n = b mod n, saying a; b have the same remainder (or modulo) · a = b( mod n) · n j a − b saying n divides a − b · a − b = nk saying a − b is a multiple of n (k is integer but its value doesnt matter) 1 EXAMPLES 21 = 11 (mod 5) = 1 , 5 j (21 − 11) , 21 mod 5 = 11 mod 5 86 mod 10 = 1126 mod 10 , 10 j (86 − 1126) , 86 − 1126 = 10k proof: EXERCISE.
    [Show full text]
  • On Sets of Coprime Integers in Intervals Paul Erdös, András Sárközy
    On sets of coprime integers in intervals Paul Erdös, András Sárközy To cite this version: Paul Erdös, András Sárközy. On sets of coprime integers in intervals. Hardy-Ramanujan Journal, Hardy-Ramanujan Society, 1993, 16, pp.1 - 20. hal-01108688 HAL Id: hal-01108688 https://hal.archives-ouvertes.fr/hal-01108688 Submitted on 23 Jan 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. 1 Hardy-Ramanujan Joumal Vol.l6 (1993) 1-20 On sets of coprime integers in intervals P. Erdos and Sarkozy 1 1. Throughout this paper we use the following notations : ~ denotes the set of the integers. N denotes the set of the positive integers. For A C N,m E N,u E ~we write .A(m,u) ={f.£; a E A, a= u(mod m)}. IP(n) denotes Euler';; function. Pk dznotcs the kth prime: P1 = 2,p2 = 3,· ··and k we put Pk = IJP•· If k E N and k ~ 2, then .PA:(A) denotes the number of i=l the k-tuples (at,···, ak) such that at E A,·· · , ak E A,ai < a2 < · · · < ak and (at,aj = 1) for 1::; i < j::; k.
    [Show full text]
  • Integer Factorization and Computing Discrete Logarithms in Maple
    Integer Factorization and Computing Discrete Logarithms in Maple Aaron Bradford∗, Michael Monagan∗, Colin Percival∗ [email protected], [email protected], [email protected] Department of Mathematics, Simon Fraser University, Burnaby, B.C., V5A 1S6, Canada. 1 Introduction As part of our MITACS research project at Simon Fraser University, we have investigated algorithms for integer factorization and computing discrete logarithms. We have implemented a quadratic sieve algorithm for integer factorization in Maple to replace Maple's implementation of the Morrison- Brillhart continued fraction algorithm which was done by Gaston Gonnet in the early 1980's. We have also implemented an indexed calculus algorithm for discrete logarithms in GF(q) to replace Maple's implementation of Shanks' baby-step giant-step algorithm, also done by Gaston Gonnet in the early 1980's. In this paper we describe the algorithms and our optimizations made to them. We give some details of our Maple implementations and present some initial timings. Since Maple is an interpreted language, see [7], there is room for improvement of both implementations by coding critical parts of the algorithms in C. For example, one of the bottle-necks of the indexed calculus algorithm is finding and integers which are B-smooth. Let B be a set of primes. A positive integer y is said to be B-smooth if its prime divisors are all in B. Typically B might be the first 200 primes and y might be a 50 bit integer. ∗This work was supported by the MITACS NCE of Canada. 1 2 Integer Factorization Starting from some very simple instructions | \make integer factorization faster in Maple" | we have implemented the Quadratic Sieve factoring al- gorithm in a combination of Maple and C (which is accessed via Maple's capabilities for external linking).
    [Show full text]